Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Page's title should be encoded or filtering html entities/javascript code #271

Closed
kuqadk3 opened this issue May 30, 2019 · 6 comments

Comments

Projects
None yet
4 participants
@kuqadk3
Copy link

commented May 30, 2019

I was testing on :

  • Wordpress 5.2.1
  • WP Statistic 12.6.5

Account with Editor role can create Post with Title that contain javascript/html. For example :

<script>alert(document.cookie)</script>

image

WP statistics page that use these title will got affected for xss attack, for example : overviews, pages,...

image

Even if the Editor delete the Post, but it still remain in top 10 page that got most hit, the Overviews page still be affected. So in reality, attacker that controls the Editor account can create page with title that contains maclious javascript code that steal admin cookie (for example), visit it a lot that make it be in top 10 page most visited, delete the post so admin wont notice the weird post that have javascript in title. And when admin click on Overviews page of WP Statistic, his cookie will be stolen.

@mehrshaddarzi mehrshaddarzi self-assigned this May 30, 2019

@mehrshaddarzi mehrshaddarzi added the bug label May 30, 2019

@mehrshaddarzi mehrshaddarzi added this to the 12.7 milestone May 30, 2019

@mehrshaddarzi

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

Hi @kuqadk3
Please change this Line :

'title' => get_the_title( $page_id ),

to

'title' => esc_html( get_the_title( $page_id ) ),

and tell me feedback.

@kuqadk3

This comment has been minimized.

Copy link
Author

commented May 30, 2019

WoW. Nice. Quick fix.

That fix the xss in Overview and Pages.

Categories and Author is also affected and still affected. Sorry for not mention them in first place.

@kuqadk3

This comment has been minimized.

Copy link
Author

commented May 30, 2019

I think we need to esc_html all those that do $post_obj->post_title

https://github.com/wp-statistics/wp-statistics/search?utf8=%E2%9C%93&q=%24post_obj-%3Epost_title&type=

@mehrshaddarzi

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

@kuqadk3
Yes.
We Fixed This issue for next Version.
Thanks a lot.

@ethicalhack3r

This comment has been minimized.

Copy link

commented Jun 4, 2019

Hi! Ryan from wpvulndb.com here.

Do you know when the next version will be released which includes this patch?

We'd like to add the vulnerability to our database, but would prefer to do so once it has been patched.

Thanks!

@mostafasoufi

This comment has been minimized.

Copy link
Member

commented Jun 4, 2019

Hi @ethicalhack3r,

The new version will be released until Friday.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.